No kidding. I know there are smart people at DISA, but the general
output seems to be from people who don't actually use computers or
follow their own rules.
Leam
On 07/25/15 19:56, Trevor Vaughan wrote:
Interesting. Not looking forward to the backlash on implementing that one.
Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <[email protected]
<mailto:[email protected]>> wrote:
Unfortunately, DISA now requires that 15 of the characters differ
between passwords.
Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the
full text is:
The operating system must require the change of at least 15 of
the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse
extensive portions of passwords, this increases the chances of
password compromise by increasing the window of opportunity for
attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes
required with respect to the total number of positions in the
current password. In other words, characters may be the same
within the two passwords; however, the positions of the like
characters must be different.
On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
The DoD states 50% of the minimum password length, which rounds
up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG
also applies to systems outside the DoD, which may dictate some
initial/default rules.
However, 15 seems to be too high for a default parameter.
Regards,
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
________________________________________
From: [email protected]
<mailto:[email protected]>
[[email protected]
<mailto:[email protected]>] on
behalf of Shaw, Ray V CTR USARMY ARL (US)
[[email protected] <mailto:[email protected]>]
Sent: Friday, July 24, 2015 02:30 PM
To: scap-security-guide
[[email protected]
<mailto:[email protected]>]
Subject: difok value in stig-rhel7-server-upstream profile
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the
following:
<refine-value idref="var_password_pam_difok" selector="15" />
Should this be changed from 15 to 4? The help text indicates
that the DoD requirement is 4, and other documentation seems to
support this.
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
--
SCAP Security Guide mailing list
[email protected]
<mailto:[email protected]>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Shawn Wells
Director, Innovation Programs
[email protected] <mailto:[email protected]> | 443.534.0130
<tel:443.534.0130>
@shawndwells
--
SCAP Security Guide mailing list
[email protected]
<mailto:[email protected]>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
